from the yeah-ok-then dept

Despite the FBI finally admitting it had greatly exaggerated the number of encrypted devices it can't get into, FBI Director Chris Wray keeps pushing the "going dark" theory to whoever will listen. This time it was NBC's Lester Holt. In an interview during the Aspen Security Forum, Wray again hinted he was moving towards an anti-encryption legislative mandate if some sort of (impossible) "compromise" couldn't be reached with tech companies. (Transcription via Eric Geller.)

I think there should be [room for compromise]. I don't want to characterize private conversations we're having with people in the industry. We're not there yet for sure. And if we can't get there, there may be other remedies, like legislation, that would have to come to bear.

The "compromise" Wray wants is simple: if law enforcement has a warrant, it gets access. The solution isn't. To weaken or backdoor encryption to serve law enforcement's needs makes everyone -- not just criminal suspects -- less safe. If a hole can be used by good guys, it can be used by bad guys. And even the best guys can't prevent their tech tools from making their way into the public domain. Just ask the NSA and CIA. In the case of the NSA, leaked exploits resulted in worldwide ransomware attacks.

Wray pitches an impossibility by portraying it as a lack of effort by the tech industry. The tech industry -- the one with all the "brightest minds" -- have been consistent in their stance. A hole for one is a hole for all. There's no such thing as securely-compromised encryption. Wray's response has also been consistent: they're just not thinking hard enough. The only "compromise" pitched by members of the tech sector is basically re-skinned key escrow -- the thing that went out of fashion with the death of the Clipper Chip.

Wray's pitch now includes an appeal to the modern wonders of the world, as if these examples change the equation at all:

We're a country that has unbelievable innovation. We put a man on the moon. We have the power of flight. We have autonomous vehicles… [T]he idea that we can't solve this problem as a society -- I just don't buy it.

First off, bringing the space program into this is ridiculous. All it does is demonstrate the government has access to some of the best minds, but Wray expects the private sector to provide, maintain, and bear the expense of a law enforcement-friendly encryption "solution." (And if it fails to deliver, Wray's more than willing to ask the government to force the private sector to play ball.)

Second, putting a man on the moon was the side effect of a Cold War cock-measuring contest with the USSR. While the nation has derived many benefits over the years from the space program, the "man on the moon" mission was a way of expressing superiority and implying that our weaponry was similarly advanced. The US government showed the world how powerful it was. I don't think that's the analogy you want to make when discussing personal device encryption.

And third, the whole "putting a man on the moon" analogy was solidly mocked on John Oliver's program two years ago when he quoted cryptography expert Matt Blaze accurately saying, "When I hear 'if we can put a man on the moon, we can do this' I'm hearing an analogy almost saying "if we can put a man on the moon, surely we can put a man on the sun.'" Not every issue is the equivalent of putting a man on the moon.

While the others listed are private sector achievements, they're simply not good comparisons. Encryption methods continue to advance in complexity and ease-of-use. This is innovation, even if it's innovation Chris Wray doesn't like. Each of the innovations listed solved problems and created markets. In this case the problem is device security. Encryption solves it. Who wants secure devices? Everyone who buys one.

The rise of smartphones has seen users replace their houses with handheld devices as the primary storage for a life's-worth of documents, along with access to a great deal of financial and personal info. Device makers want to ensure a stolen phone doesn't mean a stolen life. Wray (and others) don't want to do anything more than obtain warrants to scrape the digital innards of devices they seize. In other words, when the FBI encounters a locked safe in someone's house, Wray would believe it's the manufacturer's fault for the safe failing to unlock immediately in the presence of a search warrant.

Still, Wray believes society as a whole would be better off with weaker encryption because sometimes terrorists and criminals use encryption.

Because to the extent that the bad guys have shifted more and more to living their whole lives through encrypted devices and encrypted messaging platforms, that if we don't find a way to access that information with lawful process, we're in a bad place as a country.

Default encryption has been around for a few years now and there's no evidence we're less safe as a nation. Very few prosecutions have been dead-ended because investigators couldn't get into a phone. The problem is presented as swiftly-growing and inevitable, but there's been nothing delivered as evidence of these claims. The FBI has continually pointed to its growing pile of locked devices as Exhibit A in the War on Encryption, but has never presented anything at all to give these claims of diminishing public safety any credence. All we know for sure at this point is the FBI can't count. It used a wrong number (~7,800) to push the narrative and still expects us to believe it after it admitted this count was nearly four times higher than the actual number of devices in its possession.

Wray needs to stop complaining about the tech sector until his own agency can demonstrate its ability to approach the issue with facts, verified numbers, and intellectual honesty.

from the cleanup-on-aisle-7800 dept

The FBI's push for encryption backdoors relied on ever-skyrocketing numbers of uncracked devices the agency's best and brightest just couldn't seem to access. "Look!" DOJ and FBI officials said, pointing lawmakers at charts showing an explosion in the number of locked devices over the last couple of years. Unsustainable, it seemed to say. But it was all a lie. Not a deliberate lie, maybe, but a lie nonetheless. A convenient misrepresentation of the problem caused by a software error.

“The FBI’s initial assessment is that programming errors resulted in significant over-counting of mobile devices reported,’’ the FBI said in a statement Tuesday. The bureau said the problem stemmed from the use of three distinct databases that led to repeated counting of phones. Tests of the methodology conducted in April 2016 failed to detect the flaw, according to people familiar with the work.

This inflated the count from somewhere between 1,000-2,000 to nearly 8,000. That was the number used by Director Christopher Wray and AG Jeff Sessions in testimony to Congress and speeches to law enforcement. That was the center of the narrative: a number that kept growing exponentially with no end in sight.

You'd think the agency would track devices better, what with officials constantly claiming each and every phone was "tied to a threat to the American people." Something that important shouldn't be carelessly handled. But the phones "tied to threats" were overcounted, suggesting a severe problem in the FBI's tracking system that might make it difficult to figure out which "threats" each phone is "tied" to if and when it ever gets around to cracking the devices.

In fiscal year 2017, we were unable to access the content of 7,775* devices…

Even if the count had been accurate (which it wasn't), the numbers were delivered dishonestly. What appears to be a cumulative total of all devices the FBI had collected over the years is presented in testimony as being the total number of devices the FBI couldn't unlock during a single fiscal year. This vastly misconstrues the severity of the issue and while FBI officials may have been unaware the FBI's software was delivering bogus counts, it didn't stop them from overstating the problem by presenting historical cumulative numbers as a single year's total.

Whatever number the FBI finally delivers will be decidedly underwhelming. Considering it still hasn't provided Congress with details of its attempts to access supposedly uncrackable devices, the FBI has managed to decimate its own forces in the new War on Encryption. It overplayed its hand -- perhaps inadvertently -- and weakened its argument severely. Something this important to the FBI was handled carelessly -- not because the FBI doesn't really want weakened encryption, but because the FBI will not do anything to weaken its anti-encryption position. It never bothered to check the phone count because the number given to officials was sufficiently impressive. That mattered far more than accuracy or honesty. "Fidelity, Bravery, Integrity" my ass.

from the tearing-new-FOIA-holes-in-the-FBI's-narrative dept

The FBI's growing number of uncracked phones remains a mystery. The agency claims it has nearly 8,000 phones in its possession which it can't get into, despite multiple vendors offering services that can allegedly crack any iPhone and countless Android devices.

The push for mandated backdoors and/or weakened encryption continues, with successive FBI heads (James Comey, Chris Wray) declaring public safety is being threatened by the agency's locked phone stockpile. This push seems doubly insincere given a recent Inspector General's report, which revealed agency officials slow-walked the search for a third-party solution to unlock a phone belonging to the San Bernardino shooter.

Legislators have taken notice of the FBI's disingenuous push for a legislative mandate. Back in April, a group of lawmakers sent a letter to the FBI asking what it was actually doing to access the contents of its growing collection of locked phones and why it insisted there were no other options when it was apparent vendors were offering phone-cracking solutions.

[W]e have submitted a FOIA request to the FBI, as well as the Offices of the Inspector General and Information Policy at DoJ. Among other things, we are asking the FBI to tell the public how they arrived at that 7,775 devices figure, when and how the FBI discovered that some outside entity was capable of hacking the San Bernardino iPhone, and what the FBI was telling Congress about its capabilities to hack into cellphones.

The FBI is in no hurry to make this information public, so it will probably take a lawsuit to get its response rolling. It still has yet to answer the questions posed to it by Congress, even as it continues to push its "going dark" narrative anywhere Director Chris Wray is given the opportunity to speak.

The ever-growing number of locked phones is a true mystery, considering the number saw exponential growth -- swelling from under 1,000 phones in 2016 to nearly 8,000 phones only two years later. This happened without exponential growth in deployed encryption, but also closely tracks with the rise of James Comey's "going dark" theory and the aftermath of the FBI's failed attempt to secure a favorable precedential decision in the San Bernardino shooter case.

Whatever is revealed should answer a few questions. Unfortunately, the answer may end up being that the FBI truly isn't interested in anything more than solutions mandated by the government.

from the saying-the-same-thing-over-and-over-doesn't-make-it-true dept

FBI Director Chris Wray was back on the "going dark" stump this week. In a speech [PDF] at Boston College, Wray again stated, without evidence, that it wasn't impossible to create weakened encryption that isn't weakened. (via Cyrus Farivar at Ars Technica)

We have a whole bunch of folks at FBI Headquarters devoted to explaining this challenge and working with stakeholders to find a way forward. But we need and want the private sector’s help. We need them to respond to lawfully issued court orders, in a way that is consistent with both the rule of law and strong cybersecurity. We need to have both, and can have both. I recognize this entails varying degrees of innovation by the industry to ensure lawful access is available. But I just don’t buy the claim that it’s impossible.

It really doesn't matter whether or not Wray "buys" this claim. If you deliberately weaken encryption -- either through key escrow or by making it easier to bypass -- the encryption no longer offers the protection it did before it was compromised. That's the thing about facts. They're not like cult leaders. They don't need a bunch of true believers hanging around to retain their strength.

Yet Wray continues to believe this can be done. He has yet to provide Senator Ron Wyden with a list of tech experts who feel the same way. The "going dark" part of his remarks is filled with incongruity and non sequiturs. Like this, in which Wray says he doesn't want backdoors, but rather instant access to encrypted data and communications… almost like a backdoor of some sort.

We’re not looking for a “back door” – which I understand to mean some type of secret, insecure means of access. What we’re asking for is the ability to access the device once we’ve obtained a warrant from an independent judge, who has said we have probable cause.

If by "backdoor," he means insecure exploit, then he's technically correct. If by "not a backdoor," he means another door located on the front or side or connected to the basement or whatever, then what difference does the door's location really make? A door is door and it provides an opening where there wasn't one previously.

Solutions have been provided. There's no shortage of people suggesting workarounds. Metadata is valuable even if Wray continues to downplay it. It's a weird position for him to take considering the agency's long reliance on metadata swept up by the NSA. Devices can be hacked, but Wray continues to assert this isn't a solution either, even after Cellebrite made the stunning announcement it could crack any iPhone, including the latest models. There are a variety of third parties hosting communications in cloud services, all of which could be approached to gain access to at least some evidence. Even public enemy #1, Apple, stores encryption keys for its iCloud services, which would give law enforcement much of what can't be obtained from a locked device.

Wray doesn't want a solution that isn't forced subservience of tech companies. That's become plainly apparent as he continues his anti-encryption crusade. Tech experts are ignored. Hacking breakthroughs like Cellebrite's aren't even cited. Legislators, for the most part, have offered no support for anti-encryption legislation, and yet Wray continues to push for technical access he can't define and proclaim his rightness despite having no expertise in the subject matter.

He also mentioned the stack of cellphones the agency claims it can't access -- 7,800 devices or more than half of those the FBI tried to access last year. But the number is meaningless. Wray claims they're all tied to investigations in one way or another, but does not describe what efforts were made to access their contents. Were the phones owners approached and asked for passcodes? Were the phones owners presented with the option of unlocking the devices or facing contempt charges? Were phones sent to Cellebrite or its competitors? Or has the FBI simply shrugged its shoulders, thrown them in a big pile, and decided to let the problem go unaddressed until it has enough legislators on its side?

In this discussion of The 7,800 Phones That Couldn't Be Broken, Wray mentioned something that shows the FBI won't be happy until it has mandated access to all encrypted data -- not just data at rest on locked devices.

Being unable to access nearly 78-hundred devices is a major public safety issue. That’s more than half of all the devices we attempted to access in that timeframe. And that’s just at the FBI. That’s not even counting devices sought by other law enforcement agencies – our state, local, and foreign counterparts. It also doesn’t count important situations outside of accessing a specific device, like when terrorists, spies, and criminals use encrypted messaging apps to communicate, which is an increasingly widespread problem.

Wray ended his speech as he always does -- with emotional appeals meant to throw shade on the tech experts who've told him his safely-broken encryption dreams are impossible.

After all, America leads the world in innovation. We have the brightest minds doing and creating fantastic things. A responsible solution will incorporate the best of two great American traditions – the rule of law and innovation. But for this to work, the private sector needs to recognize that it’s part of the solution. Again, I’m open to all kinds of ideas. But I reject this notion that there could be such a place that no matter what kind of lawful authority you have, it’s utterly beyond reach to protect innocent citizens. I also can’t accept that anyone out there reasonably thinks the state of play as it exists now – much less the direction it’s going – is acceptable.

Broken down, his final thoughts on "going dark" run like this:

1. Smart people refuse to help us.

2. They are irresponsible.

3. They are part of the problem.

4. They are making America unsafe.

Christ, what an asshole. The private sector is doing far more to "protect innocent citizens" than the FBI is. Encryption makes communications and data transfer much, much safer. Wray wants this weakened for one reason: to give law enforcement immediate access. Will this make America safer? The answer is no. Default encryption has been available for years now and there's been no corresponding spike in criminal activity and no loud chorus of united law enforcement officials lamenting their inability to close cases or prosecute people. America's jails are as full as they've ever been and crime rates remain far lower than they were prior to the advent of smartphones and encryption-by-default. It's only a very small number of law enforcement officials that seem to have a problem with this, but they're by far the loudest and most visible.

from the do-as-we-say,-not-as-we-do dept

We've noted for some time how Chinese hardware vendor Huawei has been consistently accused of spying on American citizens without any substantive, public evidence. You might recall that these accusations flared up several years ago, resulting in numerous investigations that culminated in no hard evidence whatsoever to support the allegations. We're not talking about superficial inquiries, we're talking about eighteen months, in-depth reviews by people with every interest in exposing them. One anonymous insider put it this way in the wake of the last bout of hysteria surrounding the company:

"We knew certain parts of government really wanted” evidence of active spying, said one of the people, who requested anonymity. “We would have found it if it were there."

Never mind that almost all U.S. network gear is made in (or comprised of parts made in) China. Never mind that years of reports have shown the United States spies on almost everyone, constantly. Never mind that reports have emerged that a lot of the spy allegations often originate with Huawei competitor Cisco, which was simply concerned with the added competition. Huawei is a spy. We're sure of it. And covert network snooping is bad. When China does it.

Worries over Huawei bubbled up again recently when the U.S. government pressured both AT&T and Verizon to kill off plans to sell Huawei phones here in the States. It should be noted that Huawei phones are already available here, and the company has worked with several U.S. companies to gain a foothold in the U.S. market (like when it partnered with Google on the Nexus 6P). It should also probably be noted that in the modern era, you can't really differentiate between where a company like AT&T ends and the NSA begins, given the telco's extreme enthusiasm for spying on American citizens itself.

This week, hysteria concerning Huawei again reached a fevered pitch, as U.S. intelligence chiefs, testifying before Congress over Russian hacking and disinformation concerns, again proclaimed that Huawei was spying on American citizens and their products most assuredly should not be used:

"At the hearing, FBI Director Chris Wray testified, “We’re deeply concerned about the risks of allowing any company or entity that is beholden to foreign governments that don’t share our values to gain positions of power inside our telecommunications networks." Purchasing Huawei or ZTE products, Wray added, “provides the capacity to maliciously modify or steal information. And it provides the capacity to conduct undetected espionage."

Which values would those be, exactly? Would it be the values, as leaked Edward Snowden docs revealed, that resulted in the NSA hacking into Huawei, stealing source code, then attempting to plant its own backdoors into Huawei products? Or perhaps it's the values inherent in working closely with companies like AT&T to hoover up every shred of data that touches the AT&T network and share it with the intelligence community? Perhaps it's the values inherent in trying to demonize encryption, by proxy weakening security for everyone?

News outlets, semi-oblivious to their own nationalism, quickly ignored the NSA's hypocrisy when it comes to worrying about values and regurgitated the intel chiefs' concerns. Few could also be bothered to note that numerous investigations have culminated in bupkis, the NSA has routinely and consistently been caught doing precisely what they accuse Huawei of, or that American companies tend to drum up hysteria on this front simply because they're afraid of competition (protectionism we routinely and justly accuse China of).

Focusing on Huawei also seems semi-myopic, given the fact that Chinese hardware can already be found in an absolute ocean of products available here in the States, many of which are made by U.S. hardware vendors. It also ignores the fact that if somebody really wants to hack us, all they need to do is spend five seconds hunting down one of a million poorly secured internet of broken things devices, which create millions of new easily-exploited attack vendors annually in businesses and residences nationwide.

None of this is to say it's impossible that Huawei has helped the Chinese government spy, much like our own companies here in the States. But if you're going to discuss this subject, you can't have an honest conversation without highlighting our own hypocrisy on this front, given it's abundantly clear that we're perfectly OK with unethical behavior, backdoors, and spying with negligible oversight and accountability -- provided the United States is the one doing it.

from the perhaps-there's-a-reason-he-won't-say... dept

For the past few months, we've talked about how FBI Director Chris Wray has more or less picked up where his predecessor, James Comey, left off when it came to the question of encryption and backdoors. Using a contextless, meaningless count of encrypted seized phones, Wray insists that not being able to get into any phone the FBI wants to get into is an "urgent public safety issue."

Of course, as basically every security expert has noted, the reverse is true. Weakening encryption in the manner that Wray is suggesting would create a much, much, much bigger safety issue in making us all less safe. Hell, even the FBI used to recommend strong encryption as a method to protect public safety.

Last month, we wrote about a letter sent by Senator Ron Wyden to Wray, simply asking him to list out the names of encryption experts that he had spoken to in coming to his conclusion that it was possible to create backdoors to encryption without putting everyone at risk.

I would like to learn more about how you arrived at and justify this ill-informed policy proposal. Please provide me with a list of the cryptographers with whom you've personally discussed this topic since our July 2017 meeting and specifically identify those experts who advised you that companies can feasibly design government access features into their products without weakening cybersecurity. Please provide this information by February 23, 2018.

Technically, Wray still has a week or so to answer, but earlier this week during an open Senate hearing involving the heads of various law enforcement and intelligence agencies, Wyden asked Wray when he might get that list and Wray sidestepped the question entirely, other than saying he'd discuss it later (in a closed session):

If you can't see that, here's my quick transcript (though I do recommend watching the video just to see the smartass smirk on Wray's face through much of it).

Wyden: On encryption. Director Wray, as you know, this isn't a surprise because I indicated, I would ask you about this. You have essentially indicated that companies should be making their products with backdoors in order to allow you all to do your job. And we all want you to protect Americans and at the same time, sometimes there are these policies that make us less safe and give up our liberties. And that's what I think we get with what you all are advocating which is weak encryption. Now this is a pretty technical area, as you and I have talked about it. And there's a field known as cryptography. I don't pretend to be an expert on it. But I think there is a clear consensus among experts in the field against your position to weaken strong encryption. So I have asked you for a list of the experts that you have consulted. I haven't been able to get it. Can you give me a date this afternoon when you will give me... this morning, a sense of when we will be told who are these people who are advising you to pursue this route. Because I don't know of anybody who is respected in this field who is advising that it is a good idea to adopt your position to weaken strong encryption. So can I get that list?

Wray: I would be happy to talk more about this topic this afternoon. My position is not that we should weaken encryption. My position is that we should be working together -- the government and the private sector -- to try to find a solution that balances both concerns.

Wyden: I'm on the program for working together. I just think we need to be driven by objective facts, and the position you all are taking is out of sync with what all the experts in the field are saying and I'd just like to know who you all have been consulting, and we'll talk more about it this afternoon.

So, a few points on this. First, Wray doesn't answer the actual question of when he'll be giving Wyden a list, but rather suggests he'll discuss this topic in the closed session. But the question of when he'll be delivering his list of experts he's consulted shouldn't be a classified piece of information. It's just a date. Second, Wray immediately misrepresents the issue, by saying he's not asking to weaken encryption. Because he has to realize by now that that's exactly what he's asking to do. If he doesn't recognize that then it's clear he doesn't understand the first thing about how encryption actually works. Third, he's incorrectly talking about "balancing both concerns." But there's no balancing question here. It is not a "balance" between "security" and "civil liberties" as some keep trying to make it out to be. This is a concern between good security and bad security that makes everyone less safe (oh, and also has the potential to violate civil liberties).

It does not inspire confidence to have Wray have trouble answering such a basic question and then totally misrepresent how this all works, even in his two sentence answer.

from the not-so-great-when-you're-on-the-receiving-end-of-a-bludgeoning-interrogation dept

I cannot wait to see FBI Director Christopher Wray try to escape the petard-hoisting Sen. Ron Wyden has planned for him. Wray has spent most of his time as director complaining about device encryption. He continually points at the climbing number of locked phones the FBI can't crack. This number signifies nothing, not without more data, but it's illustrative of Wray's blunt force approach to encryption.

I'm sure Wray views himself as a man carefully picking his way through the encryption minefield. But there's nothing subtle about his approach. He has called encryption a threat to public safety. His lead phone forensics person has called Apple "evil" for offering it to its users. He has claimed the move to default encryption is motivated by profit. And if that's not the motivation, then it's probably just anti-FBI malice. Meanwhile, he claims the FBI has nothing but the purest intentions when it calls for encryption backdoors, even while Wray does everything he can to avoid using that term.

He claims the solution is out there -- a perfect, seamless blend of secure encryption and easy law enforcement access. The solution, he claims, is most likely deliberately being withheld by the "smart people." These tech companies that have made billionaires of their founders are filled with the best nerds, but they're just not applying themselves. Wray asserts -- without evidence -- that secure encryption backdoors are not only possible, but probable.

Senator Ron Wyden has had enough. He's calling out Director Wray on his bullshit. Publicly. His letter [PDF] demands Wray hand over information on his encryption backdoor plans. Specifically, Wyden wants Wray to name names. [via Kate Conger at Gizmodo]

Your stated position parrots the same debunked arguments espoused by your predecessors, all of whom ignored the widespread and vocal consensus of cryptographers. For years, these experts have repeatedly stated that what you are asking for is not, in fact, possible. Building secure software is extremely difficult, and vulnerabilities are often introduced inadvertently in the design process. Eliminating these vulnerabilities is a mammoth task, and experts are unified in their opinion that introducing deliberate vulnerabilities would likely create catastrophic unintended consequences that could debilitate software functionality and security entirely.

I would like to learn more about how you arrived at and justify this ill-informed policy proposal. Please provide me with a list of the cryptographers with whom you've personally discussed this topic since our July 2017 meeting and specifically identify those experts who advised you that companies can feasibly design government access features into their products without weakening cybersecurity. Please provide this information by February 23, 2018.

Remember how FBI directors (Wray, Jim Comey) claimed they just wanted to have "an adult conversation" with tech experts and cryptographers? My guess is they've never even tried. Wray hasn't held the post for long, but he's been beating Comey's weathered anti-encryption drum as long as he's held the title. And in all this time, I doubt he has talked to anyone in the tech industry directly about his encryption backdoor theory. Even if he has, he certainly hasn't found anyone who agrees such a thing can be done without weakening device security. Wray will have no answers for Wyden. We can only hope being publicly embarrassed by Senator Wyden will force him to rethink his position.

from the thanks,-g-men.-we'll-take-it-under-advisement. dept

The FBI continues its anti-encryption push. It's now expanded past Director Christopher Wray to include statements by other FBI personnel. Not that Chris Wray isn't taking every opportunity he can to portray personal security as a threat to the security of the American public. He still is. But he's no longer the only FBI employee willing to speak up on the issue.

The Federal Bureau of Investigation was unable to access data from nearly 7,800 devices in the fiscal year that ended Sept. 30 with technical tools despite possessing proper legal authority to pry them open, a growing figure that impacts every area of the agency's work, Wray said during a speech at a cyber security conference in New York.

The FBI has been unable to access data in more than half of the devices that it tried to unlock due to encryption, Wray added.

"This is an urgent public safety issue," Wray added, while saying that a solution is "not so clear cut."

The solution is clear cut, even if it's not workable. What Wray wants is breakable encryption. And he wants companies to do the work and shoulder the blame. Wray wants to be able to show up at Apple's door with a warrant and walk away with the contents of someone's phone. How that's accomplished isn't really his problem. And he's not intellectually honest enough to own the collateral damage backdoored encryption would cause. But that's how Wray operates. He disparages companies, claiming encryption is all about profit and the government is all about caring deeply for public safety. Both statements are dishonest.

But Wray isn't the only FBI employee taking the move to default encryption personally. And the others commenting are taking the rhetoric even further, moving towards personal attacks.

On Wednesday, at the the International Conference on Cyber Security in Manhattan, FBI forensic expert Stephen Flatley lashed out at Apple, calling the company “jerks,” and “evil geniuses” for making his and his colleagues' investigative work harder. For example, Flatley complained that Apple recently made password guesses slower, changing the hash iterations from 10,000 to 10,000,000.

That means, he explained, that “password attempts speed went from 45 passwords a second to one every 18 seconds,” referring to the difficulty of cracking a password using a “brute force” method in which every possible permutation is tried.

[...]

“At what point is it just trying to one up things and at what point is it to thwart law enforcement?" he added. "Apple is pretty good at evil genius stuff."

This is great. Apple is now an "evil genius" because it made stolen iPhones pretty much useless to thieves. Sure, the device can be sold but no one's going to be able to drain a bank account or harvest a wealth of personal information. This was arguably in response to law enforcement (like the FBI!) complaining cellphone makers like Apple were assholes because they did so little to protect users from device theft. And why should they, these greedy bastards? Someone's phone gets stolen and the phone manufacturer now has a repeat customer.

Encryption gets better and better, limiting the usefulness of stolen devices and now Apple is an "evil genius" engaged in little more than playing keepaway with device contents. Go figure.

The FBI's phone hacker did have some praise for at least one tech company: Cellebrite. The Israeli hackers were rumored to have helped the FBI get into San Bernardino shooter Syed Farook's phone after a failed courtroom showdown with Apple. The FBI ended up with nothing -- no evidence on the phone and no court precedent forcing companies to hack away at their own devices anytime the government cites the 1789 All Writs Act.

Now we're supposed to believe device makers are the villains and the nation's top law enforcement agency is filled with unsung heroes just trying to protect the public from greedy phone profiteers. I don't think anyone believes that narrative, possibly not even those trying to push it.

from the doing-less-with-more dept

The new director of the FBI, Christopher Wray, has apparently decided to take up James Comey's anti-encryption fight. He's been mostly quiet on the issue since assuming the position, but the DOJ's recent calls for "responsible encryption" has emboldened the new FBI boss to speak up on the subject.

And speak up he has. Although the FBI still hasn't released the text of his remarks to the International Association of Chiefs of Police, more than a few sites are reporting it was the usual "go team law enforcement" boosterism, but with the added zest of phone encryption complaints.

He also spoke about roadblocks in dealing with cellphone encryption technology, saying that in first 11 months of the fiscal year, the FBI has been unable to access content from 6,900 mobile devices despite having the proper legal authority to do so.

"It's going to be a lot worse than that in just a couple of years if we don't come up with some responsible solution," he lamented. "I'm open to all ideas."

All ideas, maybe. But certainly not all viewpoints. The Deputy Attorney General has made it clear in multiple speeches he views phone encryption as the end result of tech companies' low-minded pursuit of revenue. DAG Rosenstein repeatedly emphasized US law enforcement measures success by a different standard -- a standard mercenary phone manufacturers couldn't even begin to approach.

"I get it, there's a balance that needs to be struck between encryption and the importance of giving us the tools we need to keep the public safe."

But does he actually "get it?" What if the status quo is the ending "balance?" Would that satisfy Wray? Doubtful. He wants law enforcement-friendly security holes and he wants tech companies to provide them voluntarily.

The number of locked devices means nothing. The "6,900 mobile devices" will be 8,000 or 10,000 by early next year -- sound-and-fury totals signifying nothing. It was 6,000 phones when Comey trotted out numbers earlier this year. It will always increase and it will always grab eyeballs but it won't ever mean anything unless the FBI is willing to provide a lot more context.

Is the FBI just spectacularly bad at cracking cell phones? We're not hearing these complaints from local law enforcement agencies with less expertise and lower budgets. Is the FBI just not even trying? Is it not using everything it has available -- including a number of judicial forgiveness plans for rights violations -- to get into these phones? It's inconceivable the nation's top law enforcement agency is experiencing nearly a 50% failure rate when it comes to locked phones.

All Wray says is there are 6,900 phones the FBI hasn't gotten into. Yet. What's never discussed is how many investigations resumed unimpeded by cellphone encryption. Phones are not the sole repository of criminal evidence in any investigation. The FBI has options even if the seized phone seems impermeable. The FBI insinuates it's being stopped, but never specifies how many of these phones have resulted in terminated investigations.

It's just a number, divorced from context, but one the FBI can ensure will always be larger than last time it was mentioned.

from the BACK-TO-WORK,-NERDS dept

Trump's pick to head the FBI -- former DOJ prosecutor Christopher Wray -- appeared before the Senate to answer several questions (and listen to several long-winded, self-serving statements). Wray's confirmation hearing went about as well as expected. Several senators wanted to make sure Wray's loyalty lay with the nation rather than the president and several others hoped to paint him into a Comey-bashing corner in order to belatedly justify Trump's firing of his (potential) predecessor.

I think this is one of the most difficult issues facing the country. There's a balance that has to be struck between the importance of encryption, which I think we can all respect when there are so many threats to our systems, and the importance of giving law enforcement the tools that they need to keep us safe.

You can already tell where this is going. Encryption is great and all, but what's would be really great is some sort of backdoor-type thingy.

Wray continued by swiftly jumping to the other side of the argument -- at least in terms of team uniform. Certainly not in terms of how the "other side" feels about encryption and backdoors.

I don't know sitting here today as an outsider and a nominee before this committee what the solution is, but I do know that we have to find a solution. And my experience in trying to find solutions is that it's more productive for people to work together than to be pointing fingers blaming each other. And that's the approach I've tried to take to almost every problem I've tackled. And that's the approach I would want to take here in working with this committee and the private sector.

One advantage to having been in the private sector for a while is that I think I know how to talk to the private sector, and I would look for ways to try to see if I could get the private sector more on-board to understand why this issue is so important to keep us all safe.

So far, so Comey. New suit in the office, but it fits the same as the last one. Wray thinks both sides should work together but strongly hints the actual work will have to be done by the private sector. The problem, according to a guy who's worked "both sides," is the private sector needs to be more "on-board." And that indicates Wray feels the problem isn't the lack of both sides working together, but the other side not capitulating. That's a problem, and it sounds a whole lot like X more years of Comey.